Have you implemented processes and safeguards and tweaked your technology to protect your members' or attendees' identity and credit card information from falling into the wrong hands? If you are one of those planners who e-mails Excel rooming lists with credit card numbers to your hotel or housing provider, you need to find a more secure method - now.

The clock is ticking. By the end of 2007, any organization that accepts payment card transactions must be PCI (Payment Card Industry) compliant. Additionally, organizations that store, process, or transmit credit or debit card data must also be compliant. Much of the 12 PCI DSS (Data Security Standard) compliance requirements deal with firewalls, data access, data storage and encryption, and all of those areas that keep IT professionals busy. It is estimated that between 35 percent and 50 percent of all companies will not make the end-of-year compliance deadline. Companies that are compromised and found to be non-compliant run the risk of incurring heavy fines, restrictions, or permanent expulsion from processing credit card payments.

As planners, you need to make sure that your risk management strategy includes taking "reasonable care" of participant data both within your own organization as well as with the vendors or technology solution providers that you choose. Here are a few recommendations:

• RFPs and contracts - request that all vendors that will have access to your attendee, exhibitor, or member credit card numbers provide proof of PCI compliance. If they haven't taken the steps to become compliant, you likely should be looking for new partners. If the vendor will also be processing credit card data on site, they should explain the precautions that will be taken when on a leased or temporary network.
• Document storage - if you have registration, housing, or other forms that contain credit card data, you should have policies and procedures in place to limit access and shred the documents so they don't get into the wrong hands. These policies need to be in place for your office as well as on site (especially if you use temps).
• Passwords - don't share yours with anyone. Make sure that if you use temps that each person's password is confidential, unique, and allows them to only access the data needed to perform their assigned duties. 
•  Transmitting information - if you have to send a rooming list with credit card data to one of your vendors, work with your IT team to identify a secure method of delivery and access.

PCI compliance is not optional. It simply makes good business sense and it is not necessarily a difficult process. Some organizations are putting it off because they believe they have more pressing business issues, or they think they don't process enough credit card transactions to "warrant" the cost to become compliant. Don't accept excuses for not meeting this business standard. While being compliant doesn't guarantee that your data will not be compromised, it does substantially decrease the odds. Your members and attendees assume that you are taking these necessary steps so that it is safe to do business with you. You can't afford to let them down. To learn more about PCI compliance, visit www.pcicomplianceguide.org.

Dave Lutz is managing director of Velvet Chainsaw Consulting, www.velvetchainsaw.com, a business improvement consultant specializing in the meeting and event industry. His company assists organizations in realizing top- and bottom-line growth by delivering customer-focused solutions in business development, best practice and process improvement, strategic planning, and training.